assertion policy filter: Fallback to match a known attribute or return its name

c00kiemon5ter · c00kiemon5ter · commit f36b06aa2a8a · 2022-04-10T23:19:50.000+03:00
Signed-off-by: Ivan Kanakarakis &lt;ivan.kanak@gmail.com&gt;
diff --git a/src/saml2/assertion.py b/src/saml2/assertion.py
@@ -86,18 +86,19 @@ def filter_on_attributes(ava, required=None, optional=None, acs=None,
     """
 
     def _match_attr_name(attr, ava):
-        name_format = attr.get('name_format')
-        name = attr.get('name')
-        friendly_name = attr.get('friendly_name')
-        local_name = get_local_name(acs, name, name_format) or friendly_name
-
+        name = attr["name"].lower()
+        name_format = attr.get("name_format")
+        friendly_name = attr.get("friendly_name")
+        local_name = (
+            get_local_name(acs, name, name_format)
+            or friendly_name
+            or ""
+        )
         _fn = (
             _match(local_name, ava)
-            if local_name
             # In the unlikely case that someone has provided us with URIs as attribute names
-            else _match(name, ava)
+            or _match(name, ava)
         )
-
         return _fn
 
 
diff --git a/tests/test_20_assertion.py b/tests/test_20_assertion.py
@@ -68,15 +68,55 @@ def _eq(l1, l2):
 
 
 def test_filter_on_attributes_0():
-    a = to_dict(Attribute(name="urn:oid:2.5.4.5", name_format=NAME_FORMAT_URI,
-                          friendly_name="serialNumber"), ONTS)
+    a = to_dict(
+        Attribute(
+            name="urn:oid:2.5.4.5",
+            name_format=NAME_FORMAT_URI,
+            friendly_name="serialNumber",
+        ),
+        ONTS,
+    )
 
-    required = [a]
-    ava = {"serialNumber": ["12345"]}
+    b = to_dict(
+        Attribute(
+            name="urn:oasis:names:tc:SAML:attribute:subject-id",
+            name_format=NAME_FORMAT_URI,
+            friendly_name="subject-id",
+        ),
+        ONTS,
+    )
+
+    c = to_dict(
+        Attribute(
+            name="unmapped_attr_name",
+            name_format=NAME_FORMAT_URI,
+            friendly_name="unmapped attr name",
+        ),
+        ONTS,
+    )
+
+    d = to_dict(
+        Attribute(
+            name="urn:oid:2.5.4.6",
+            friendly_name="c",
+        ),
+        ONTS,
+    )
+
+    required = [a, b, c, d]
+    ava = {
+        "serialNumber": ["12345"],
+        "subject-id": ["id_12345"],
+        "unmapped_attr_name": ["abcd"],
+        "c": ["some-country"],
+    }
 
     ava = filter_on_attributes(ava, required, acs=ac_factory())
-    assert list(ava.keys()) == ["serialNumber"]
+    assert set(ava.keys()) == {"serialNumber", "subject-id", "unmapped_attr_name", "c"}
     assert ava["serialNumber"] == ["12345"]
+    assert ava["subject-id"] == ["id_12345"]
+    assert ava["unmapped_attr_name"] == ["abcd"]
+    assert ava["c"] == ["some-country"]
 
 
 def test_filter_on_attributes_1():
